Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting
Customers of the SmokeLoader malware have been detained
Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
Following the Operation Endgame investigation, major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, were shut down last year.
According to Europol, analysis of the contents of a seized database enabled it to identify customers of the SmokeLoader pay-per-install botnet, operated by an individual known as ‘Superstar’.
The law enforcement agency has now made arrests, carried out house searches, and conducted arrest warrants or ‘knock and talks’.
"Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities," Europol said.
"Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame."
The malware had infected millions of computers around the world, according to the FBI. SystemBC facilitated anonymous communication between an infected system and a command-and-control servers.
Meanwhile, Bumblebee was distributed mainly via phishing campaigns or compromised websites, and was designed to enable the delivery and execution of further payloads on compromised systems.
SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. Similarly, IcedID - also known as BokBot - had been further developed to carry out a range of crimes as well as the theft of financial data.
Europol hails success of largest botnet takedown
As part of last year's operation - the largest ever against a botnet - more than 100 servers were shut down or disrupted and over 2,000 internet domains tied to the hacking activities were seized.
But while last May's activities were focused on the high-level players who were using ransomware, for example, this latest set of raids is designed to mop up the customers of Cybercrime as a Service providers.
Law enforcement agencies in several countries were able to link online personas and their usernames to actual individuals.
"When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of digital evidence stored on their personal devices," Europol said.
"Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation."
Europol said it’s not quite finished yet, either. The law enforcement agency is still investigating possible leads, revealing it has more suspects in the crosshairs.
MORE FROM ITPRO
- Botnets are being sold on the dark web for as little as $99
- Cobalt Strike abusers have been dealt a hammer blow
- The Zservers takedown is another big win for law enforcement
-
What businesses need to know about the update to Cyber EssentialsIn-depth Cyber Essentials was updated this April – what are the key changes?
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victims
News A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
